Vulnerability Assessment of Cyber Security in

Power Industry
Yu Jiaxi, Student Member, IEEE, Mao Anjia and Guo Zhizhong

Abstract--Cyber system plays an important role in supervising
and controlling power system. Besides its contribution of much
convenience to power industry, the cyber system brings some
potential danger because of its inherent vulnerability. It is
significant to assess the vulnerability of cyber system, determine
its risk to power industry, find out the weak parts, set
appropriate response to the probable accidents and enhance the
safety of the cyber system. By analyzing the threats and
vulnerability of cyber system in detail, mainly including the
vulnerability of SCADA (Supervisory Control and Data
Acquisition) system, EMS (Energy Management System) and
MIS (Management Information Systems), this paper proposes
two methods, the probabilistic assessment and the integrated risk
assessment, to assess the cyber security vulnerability. And some
ways are suggested to promote the security of cyber system in
power industry.
Index TermsCyber security, integrated risk assessment,
power system, probabilistic assessment, vulnerability assessment.
I. INTRODUCTION
He goal of modern power system is to provide customers
with reliable, cheap, high-quality(The important operating
parameters, such as voltage, frequency, and phase angle,
should be maintained within the permissible limits). However,
as a national critical infrastructure, power system is becoming
more and more interdependent with other critical
infrastructures, such as transportation, communication and
financial systems. Interactions between these networks
increase the complexity of power system operation and
control, which is exacerbated with the deregulation and
restructuring of power industry. And the interconnected nature
of these networks makes them vulnerable to cascading failures
with widespread disasters. Secure and reliable operation of
these systems is fundamental to our economy, security and
quality of life.

Yu Jiaxi is with the Department of Electrical Engineering, Harbin Institute
of Technology. Harbin, Hei Longjiang Province, China. (E-mail:
yujiaxi1980@sina.com, jiaxiy@bjxj-xjgc.com. Address: Harbin Institute of
Technology 353#, Harbin, China 150001)
Mao Anjia is with the Department of Electrical Engineering, Harbin
Institute of Technology. Harbin, Hei Longjiang Province, China. (E-mail:
angel_maoyang@sohu.com, anjiam@bjxj-xjgc.com. Address: Haidian shang-
di xinxi Road 5#, xj-epri, Beijing, China 100085)
Guo Zhizhong is with the Department of Electrical Engineering, Harbin
Institute of Technology. Harbin, Hei Longjiang Province, China. And he is
with xj electric power research institute, Beijing China. (E-mail:
zhizhongg@bjxj-xjgc.com. Address: Haidian shang-di xinxi Road 5# xj-epri,
Beijing, China 100085)
Power grid is a sprawling network. High voltage, long
distance transmission and regional interconnection are the
characteristic of modern power system [1]. Through the
development of more than a hundred years, the power systems
in almost all countries are becoming huge, wide spread system,
which may span several states or countries geographically.
Moreover, with the deregulation and restructuring of power
industry, the introduction of competition and power market,
the size as well as the complexity of power grid is increased.
Today, the North American power network may
realistically be considered to be the largest machine in the
world since its transmission lines connect all the electric
generation and distribution on the continent [2]. As a
developing country, the power grids in China are also
developing rapidly and are almost connected into a single grid,
as is shown in Fig. 1.
Northeast
North
Northwest
Tibet
Center
East
South
Fig. 1. Diagram of China power grids, they are connecting into a single grid
To maintain and control this huge wide-area system, cyber
system plays an important role. The basic tool in power
industry is Energy Management System (EMS) and
Supervisory Control And Data Acquisition (SCADA) system.
Remote Terminal Unit (RTU), which is installed in local
power plants or substations, collects power system operating
information, sends them to the Control Center though private
communication network of microwave and/or optical fiber,
and executes control instructions from the control center. By
this means, the operators in the Control Center can monitor
and control the whole power system. EMS analyzes the
information collected by SCADA and helps the operators
grasp the operation state of power system more accurately.
Also EMS can help the operators to make better schedules and
do righter operations. Fig.2 shows the power system and its
T
2200 142440178X/06/$20.002006IEEE PSCE2006
SCADA system. Together with Automatic Generation Control
(AGC), Local Voltage-reactive power Control (VQC),
SCADA system forms the control system of power system [3],
[4].
Fig.2 Diagram of Power system and its SCADA system
Originally the control system of power system was isolated
comparatively. However, as the industry is transited to a
deregulated environment, the power companies are
fundamentally restructuring the ways they conduct business as
well as the types of business they conduct. To improve the
efficiency and cut down costs, many enterprises introduce
Management Information System (MIS) into their companies.
Therefore, electric power companies are becoming more
reliant on robust, expansive, and open information systems.
Just with expansion of the information system, there is a
corresponding increase in the vulnerability of information
security. Efforts to allow easier access to the information of
operation, customer, and supplier, combined with the
expansion of corporate IT (Information Technology)
boundaries as the result of merger and acquisition, vastly
increase the security vulnerabilities of power industry. As a
result, the impact of a security breach goes beyond operational
concerns, and can have a devastating impact on the financial
well being of a company [5]. A prevalent opinion is that the
safety of cyber system is even more crucial than power system
itself [6].
II. THREATS AND VULNERABILITY OF CYBER SYSTEM IN
POWER INDUSTRY
Massoud Amin has summed up the threats of power system
into three categories [7]:
Attacks upon the power system: In this case, the
electricity infrastructure itself is the primary targetwith
outages rippling into the customer base. The point of
attack could be a single componenta critical substation
or a transmission tower. Or there could be a
simultaneous, multi-pronged attack intended to bring
down an entire regional grid. Similarly, the attack could
target electricity markets, highly vulnerable because of
their transitional status.
Attacks by the power system. Here, the ultimate target is
the population, using part of the electricity infrastructure
as a weapon. Terrorists could use the cooling towers of
power plant, for example, to disperse chemical or
biological agents.
Attacks through the power system. The target is the civil
infrastructure in this case. Utility networks include
multiple conduits for attack, including lines, pipes,
underground cables, tunnels, and sewers. For example,
terrorists could couple an electromagnetic pulse through
the grid to damage computer or telecommunication
infrastructure.
As to the cyber threats of power system, we mainly
consider the first kind of threatintruders attack upon the
power system through the cyber vulnerabilities of power
industry. It will cause failure of critical equipment in power
system and lead to catastrophe of blackouts.
The challenge to cyber security of power industry roots in
two aspects: the highly dependency on the cyber system and
the neglect to the cyber security. In present power industry
control center, once the SCADA system fails, the operators
could do nothing to control the power system sometimes, the
whole control center and the power system will be rapidly in
chaos. However, on the other hand, the operators are
indifferent to the cyber security. For example, the operating
system of the computers may not be duly patched, the virus
definition may not be updated in time, the firewall may not be
configured properly, the limits of authority may not be
authorized according to the obligation, the default user and
password provided by the software provider may not be
disabled, and the password is too simple, such as 12345678
etc. All these lead to the vulnerability of cyber system.
The cyber system in power industry may be divided into
two categories, that is, the control system and the management
information system. The former mainly refers to the
SCADA/EMS; the later includes all the management and
information software in power industry. Because their
functions in power industry and their influence to power
system are different, we will analyze the vulnerabilities
separately.
A. Vulnerability of Control System
While it influences power system directly, SCADA/EMS is
inherently vulnerable, because:
1) SCADA system was originally designed to be isolated
but operates in corporate environment.
When designed, the SCADA system is assumed to operate
in private network, which is separated from other corporate
enterprise communication including Extranet and Internet. So
there is almost no threat on the system except the mis-
operating of the operator and malicious breach. Unfortunately,
to improve competition and reduce costs, the power
enterprises have to employ some management information
systems, which interconnect office and electronic commerce
systems with these control systems. This has inadvertently
exposed control systems directly to the Extranet, Internet, and
2201
remote dial-up capabilities that are vulnerable to cyber
intrusions. [8], [9].
2) Control systems have been designed to be efficient,
rather than secure.
These systems, such as SCADA system, have been
designed with critical timing requirements, rigid performance
specifications, and specific task priorities. These systems are
also computer resource and communication bandwidth limited.
These constraints preclude use of existing security technology
such as encryption and certificate authentication, which are
resource consuming. The awful secure measures lead to the
vulnerability of cyber system.
3) The source code of the system is open
Generally, the source code of SCADA/EMS is provided to
the power enterprises together with the systems. So many
disgruntled employees may manage the vulnerability of the
system through these codes. Furthermore, the same system
may be installed in many districts or countries, and the general
information of the enterprises may be publicized as their
outstanding achievements by the providers. Therefore, once
some special case happens, such as war, the opponents may
attack the power system by the holes of the software.
4) Remote access
The maintenance of SCADA/EMS is time consuming.
Because of the limitation of the operators professional
knowledge, the maintenance job needs the participant of the
system provider. However, to cut down their cost, providers
always do their maintenance job through remote access, either
by modem dial-up or by Virtual Private Network (VPN),
which increases the vulnerability of the cyber system.
5) Default user or password, backdoors
Before the system of SCADA/EMS is delivered to power
industry, the providers must experiment and adjust the system
locally. For convenience, the programmer of the provider may
set default user or default password in the system, even
backdoors. Its danger for the system if the default user or
password or backdoor is not disabled and found out by the
cyber attackers.
6) Communication protocols and communication networks
Control systems communications utilize industry-accepted
protocols. However these protocols have been designed
without or with little security considerations. Reliable
operation of control systems depends on telecommunications
including voice, data, radio, and microwave. In some cases,
the telecommunications system is wholly under the ownership
and operation of the utility. In other cases, telecommunication
facilities are leased from telecommunication providers. These
telecommunication providers may inadvertently contribute to
the unavailability of control system.
The existence of both internal and external links from
SCADA systems to other systems introduces vulnerabilities.
At this time, however, preliminary analysis of information
derived from interviews with operators provides no evidence
indicating exploitation of these vulnerabilities before or
during the outage [10]. But regional blackouts caused by
cyber system vulnerability are often reported [11]. In China,
there are several cyber security accidents in recent years [12].
Some are listed as the following.
1. On Oct. 13, 2000, the control system in Sichuan Ertan
hydro power plant received abnormal signal and stopped.
890MW was loss in 7 seconds and the whole power grid
in Sichuan almost collapsed.
2. On Oct.1, 2001, Logic bomb was found in the
oscillatory recorders produced by a company. There are
146 sets of this kind recorder used in China at then.
3. On Dec.30, 2003, virus was found in Longquan-
Zhengping-Echeng inversion substation control system,
which was caused by a technician browsing the web
during the course of debugging.
4. In the year 2002, an information security assessment
company propagated the vulnerability assessment result
of a power corporation as the propagandistic material.
All of these and experience and lessons from other cases
tell us that the intruder can hack into the control system in
power industry and cause an accident even more severe than
the catastrophe of 8.14 blackout [11].
B. Vulnerability of Management Information Systems
Compared with that of the control system, the influence of
MIS vulnerability to the power system is smaller. However,
because MIS relates to the production, selling, and financial
operating of power industry, the cyber vulnerability of MIS,
which is mainly shown as the following, also deserves our
attentions.
1) Information island and IT black hole
For lack of unified criterion and design, either the
independent tools or the integrated solutions of the existing
MIS are mainly isolated applications or the simple
accumulation of business function modules, which are
separated from each other. Because of the vulnerable nature of
infrastructure, the development, maintenance and extension of
MIS are difficult, which leads to the ubiquitousness of IT
black hole. Just as Fredrick said in his book and paper:
There is no single development, in either technology or
management technique, which by itself promises even one
order-of-magnitude improvement within a decade in
productivity, in reliability, in simplicity[13],[14].
2) The quality of MIS
Since no special knowledge of power system is required to
develop MIS, almost all software companies can design and
develop MIS. It cannot exclude that the MIS used in power
industry is developed by some inferior software companies.
And there could be severe vulnerability existing in those
software systems.
3) Abusiveness of web technology
The tendency to use web browser to access the system
expose the whole system into Extranet or Internet, which
makes the system vulnerable to cyber attacks.
4) Operation System Security and Virus
Most MIS are designed for Microsoft Windows. Because
of the security of Windows itself and its popularization, cyber
attacker may find ways to intrude the operation system easily.
Moreover, there are too many viruses aiming at Windows and
2202
its applications.
5) Threats to control system
Although MIS does not access control system directly,
some applications may need information from SCADA/EMS.
The connection of the corporate network to control system
network brings potential threat to control system.
Moreover, most important commercial secrets, such as
enterprise information, client information, financial
information etc., are in MIS. Information leak may cause great
loss of the power corporation.
III. VULNERABILITY ASSESSMENT OF CYBER SECURITY
Vulnerability assessment of cyber security is one of the
most important steps to promote the cyber security. Through
assessment, the vulnerable parts of the cyber system can be
identified, to which some appropriate response can be
schemed. In this paper, we propose two kinds of method, the
probabilistic assessment and the integrated risk assessment, to
assess the cyber security of power industry.
A. Probabilistic assessment
In this method, firstly the probabilities of the occurrence of
the cyber security events are summed up. Then the
probabilities of the accidents caused by the relevant events are
calculated, and the related loss is gotten. With the information,
we can compute the vulnerability index of the cyber systems
by the following formula.
) ( ) / ( ) (
j j j
N j
j c
EL Lj E EL P E P I =
_
e
(1)
Where is the cyber security vulnerability index, is the
cyber security events, is the probability of the event
occurrence, is the power system accident,
means the probability of power system accident,
which is caused by the cyber security event , and is the
loss caused by accident .
c
I
j
E
) (
j
E P
j
EL
) / (
j j
E EL P
j
E
j
L
j
EL
The difficult of this method is to identify probabilistic
distribution of the cyber security event. However, many
efforts have been taken to sweep out the obstacle. For instance,
[15], [16] consider that the distribution of cyber security event
is Poisson distributed. This method is fit to assess the cyber
security vulnerability of control system.
B. Integrated risk assessment
This method is an integrative method to assess the cyber
security risk of a corporation, and is fit for the vulnerability
assessment of MIS of power industry.
In this method, the level of cyber security risk is firstly
classified into five categories. And each category is assigned a
value to indicate the relevant risk, as shown in TABLE I. The
Performance Index (PI) is the reference value to identify the
risk, which may be calculated by different methods to assess
the vulnerability.
TABLE I
THE CATEGORIES OF CYBER SECURITY RISK
Risk
Level
Very
Low
Low Normal High Very
High
PI <35 35-45 45-65 65-75 >75
LV 1 2 3 4 5
Then the cyber security - risk matrix is set up. Its first row
is the percentage of the cyber system risk belonging to each
category, the second row are the probabilistic factors of
accidents introduced by cyber security events, and the third
row are the influence factors of the accidents to power
industry. Matrix (2) is a probably cyber security - risk matrix:
(
(
(

=
0 3 . 0 1 . 0 1 . 0 5 . 0
1 . 0 1 . 0 2 . 0 2 . 0 3 . 0
1 . 0 1 . 0 3 . 0 5 . 0 0
sr
M (2)
The integrated vulnerability assessment can be calculated
by applying the following formula:
T
sr cai ir
LV M W I = (3)
Where is the vulnerability index, is the security risk
vector, whose value is taken from TABLE I. is the cyber
security - risk matrix and is a vector,
whose value indicates the weight of cyber security risk,
accident risk and the accident influence.
ir
I LV
sr
M
| |
l a r cai
w w w W =
IV. METHODS TO PROMOTE CYBER SECURITY
Reference [8] points out that government should support
industry in two critical areas to better secure the control
systems controlling the critical infrastructures:
1. Establish an industry-wide information collection and
analysis center for control systems modeled after CERT
(Computer Emergency Response Team) to provide
information and awareness of control systems
vulnerabilities to users and industry.
2. Provide sufficient funding for the National SCADA Test
Bed to facilitate the timely and adequate determination
of the actual vulnerabilities of the various control
systems available in the market and develop appropriate
mitigation measures.
As to the power industry, efforts should be taken in the
following aspects to promote the security of the cyber systems.
[17]-[23]:
1. Build up a security center in power industry. This center
is responsible for the security of the whole industry cyber
systems, including physical devices (computers,
switchers, routers, bridges, hubs etc.), communication
networks, operating systems, control systems and MIS.
2. Enhance security management. The security awareness
of the employees should be promoted by conducting
security training and testing periodically.
3. Enhance management of the newly imported cyber
systems. The providers should assure that there are no
2203
security holes in their systems and the systems will
properly response to the security accidents.
4. Disable all the default users and default passwords,
assign limits of authority properly, enhance the
management of source code and prohibit stealing of them.
5. Build up a backup center for the cyber system, especially
the control system, once the tragic, such as 9.11 takes
place, the business will continue in the backup center.
6. Set up security sections, enhance the access control
between the sections, for example, Fig.3 shows the
security section of a power corporation in China.
7. Promote the skills of operator in control center, decrease
their dependency on cyber systems, and promote their
ability to deal with accidents. Build up advanced scheme
to meet the emergencies.
Fig.3 The Security sections in a power industry of china
V. CONCLUSION
The deregulation and restructuring of power system is
carrying on, more and more people and organizations are
entering the contest of this game. This situation leads to the
flourishing of power market, as well as the complexity of
power system, both in the aspects of physical structure and
operating model. As part of the important assets of power
industry, cyber system is expanding and complicating rapidly.
In turn, the cyber system is vulnerable to the cascading
failures and malicious attacks. And it is important for the
power system to assess the cyber vulnerability and enhance
the security of cyber system.
Vulnerability assessment of cyber security is a systematic
task and many methods can be applied to do the job. For
instance, probabilistic assessment and integrated risk
assessment provided in the paper are both work. However, to
find out the appropriate methods for different power industry
is still difficult.
Cyber system vulnerability of power industry always exists.
However, power enterprises can decrease the influences of
cyber system vulnerability to the least through proper
construction and management.
VI. REFERENCES
[1] Wang Mei-yiWu Jing-Chang, Meng Ding-Zhong. Huge Power Grid
Technology. Published by china electricity publishing house. Pp. 10-23.
[2] Massoud Amin. National Infrastructures as Complex Interactive
Networks. Automation, Control, and Complexity: An Integrated
Approach, T. Samad & J. Weyrauch (Eds.), pp. 263-286, John Wiley and
Sons Ltd., NY, March 2000
[3] John D. McDonald. Electric Power Substations Engineering. Published
by CRC Press. 2003.
[4] Cobus Strauss. Practical electrical network automation and
communication systems. Published by Butterworth Publishers Mar 1,
2004
[5] Riptech. Information Security Challenges in the electric power industry.
http://www.iwar.org.uk/cip/resources/utilites/WhitePaper.pdf
[6] David Watts. Security & Vulnerability in Electric Power Systems. NAPS
2003, 35th North American Power Symposium, University of Missouri-
Rolla in Rolla, Missouri, October 20-21, 2003. pp. 559-566.
[7] Amin Massoud, Security Challenges for the Electricity Infrastructure.
Special issue of the IEEE Computer Magazine on Security and Privacy,
April 2002 : 8-10
[8] Joseph M. Weiss. Control Systems Cyber SecurityMaintaining the
Reliability of the Critical Infrastructure. http://reform.house.gov/
UploadedFiles/Weiss Congressional Testimony FINAL 03.24.041.pdf
[9] Joe Weiss. Information Security Needs for T&D Equipment.
Transmission & Distribution World, July 2001.http://tdworld.com/ar/
power_information_security_td/
[10] The NERC Steering Group. Technical Analysis of the August 14, 2003,
Blackout: What Happened, Why, and What Did We Learn?
http://www.nerc.com/
[11] INSTITUTE FOR SECURITY TECHNOLOGY STUDIES AT
DARTMOUTH COLLEGE. CYBER SECURITY OF THE ELECTRIC
POWER INDUSTRY. http://www.ists.dartmouth.edu/library /analysis/
cselectric.pdf
[12] Xin Yao-zhong, Cyber Security Assessment of power system. http://
www.infosec.org.cn/files/meetings/63.ppt
[13] Brooks, Fredrick P. No silver bullet, refired, in The Mythical Man-
Month, 20
th
Anniversary Edition, pp.207-226.
[14] Brooks, Frederick P., "No Silver Bullet: Essence and Accidents of
Software Engineering, Computer, Vol. 20, No. 4 (April 1987) pp. 10-19.
[15] G. Hamoud, D. Logan, A.P. Meliopoulos, M. Ni, N. Rau, L. Salvaderi,
M. Schilling, Y. Schlumberger, A. Schneider, C. Singh.
PROBABILISTIC SECURITY ASSESSMENT FOR POWER
SYSTEM OPERATIONS. Prepared by the Task Force on Probabilistic
Aspects of Reliability Criteria of the IEEE PES Reliability, Risk, and
Probability Applications Subcommittee. http://clue.eng.iastate.edu/~jdm
/ WebConfPapers/RRPA_TaskForcePaper.pdf
[16] Ian Dobson, Benjamin A.Carreras, Vickie E.Lynch, Bertrand Nkei,
David E.Newman. Estimating Failure Propagation in Models of
Cascading Blackouts. 8th International Conference on Probability
Methods Applied to Power Systems, AmesIowa, September 2004.
[17] W. Gangjun, Z. Xuesong, G. Zhizhong. Monitoring And Analysis of
Electric Power Information Security. Power System Technology. Vol.28,
No.9, pp50-53
[18] Stanley A. Klein. Best Practices in Information Security Protection for
the Utility Enterprise. IEEE, 2002
[19] Protect That Network: Designing Secure Networks for Industrial
Control, Eric Byres, IEEE Pulp and Paper Technical Conference,
Seattle, WA, June 1999, http://www.empowerednetworks.com/solution/
pdf/whitepapers/Protect_that_Network.pdf
[20] 'Information Security Primer: Helping the Energy Industry adapt to the
Internet Age, without compromising operational security or operating
flexibility', EPRI, September 2000, ftp://www.nerc.com/pub/sys/all
_updl/cip/EPRI-Security-Primer.pdf
[21] Best Practices for Securing SCADA Networks and Systems in the
Electric Power Industry. http://www.mont.ru/products/symantec/docs/
SCADA_NS_for_ElectricPower.pdf
Other applications
Section I
Control Systems:
SCADA/EMS/AGC
MIS
Isolator
Section II
Internal
Platform:
TMR/WDS
Section IIIIV
External Platforms
Isolator
2204
[22] TRADE SECRETS: POLICY FRAMEWORKAND BEST PRACTICES
http://www.wipo.org/sme/en/documents/wipo_magazine/05_2002.pdf
[23] U.S. Department of Energy Office of Energy Assurance. Vulnerability
Assessment And Survey Program-Overview of Assessment
Methodology. http://www.esisac.com/publicdocs/assessmentmethods/
OEA_VA_Methodology.pdf
VII. BIOGRAPHIES
Yu Jiaxi was born in Tuanfeng, Hubei province, China, on March 6, 1980;
He graduated from Harbin Institute of Technology and continued his post-
graduated education in HIT. He is now a Ph.D. student at the Electrical
Engineering Department, Harbin Institute of Technology, Harbin, China. His
current main research interests focus on power system operation, analysis and
information security in power system.
Mao Anjia was born in Xishui, Hubei province, China, on August 28,
1975. He graduated from Harbin Institute of Technology and continued his
post-graduated education in HIT. Now he is a Ph.D. student at the Electrical
Engineering Department, Harbin Institute of Technology, Harbin, China. His
current main research interests focus on power system stability analysis and
control, information security in power system.
Zhizhong Guo was born in Hebei Province, China, on October 11, 1961.
He is now a professor of the Department of Electrical Engineering, Harbin
Institute of Technology, Harbin, China and visit professor of North China
Electric Power University, Beijing, China. Prof. Guo is also the dean of
Electric Power Research Institute of Xuji Group Co., Beijing, China. His
research interests include power system stability, power markets, optical
current transducer, digital power systems etc.
2205